The free and open source file hosting solution Nextcloud is available in the Univention App Center either preconfigured or as a virtual appliance and is therefore quickly installed and set up on UCS. Nextcloud can also offer it‘s services on a central server in large, distributed environments and is therefore ideal for integrating network shares from other computers.
In this blog article, I‘ll show you how Nextcloud can automatically provide UCS@school shares of users, classes, or workgroups. This makes data that would otherwise only be accessible on a local school network centrally available, which is especially useful in large environments with many computers and thousands of accounts. We at Univention have developed a solution for two school districts that uses the Nextcloud External storage support app together with the Univention Directory Listener to automatically integrate Samba shares into Nextcloud.
The Setup: Central UCS Server and at Each School
We have already successfully applied our approach to the two districts of Chemnitz and Fulda. One of the two school authorities provides digital identities of the users and other services for around 80 schools via UCS@school. Several central UCS servers act as domain controllers, mail and groupware servers. Nextcloud also runs on one of the servers. All services are accessible via the Internet.
In addition, each school has a UCS@school server that provides domain services (authentication, print server, etc.) and also serves as a file server. The local UCS@school servers are important for the schools – e.g. if the network connection fails or the (upload) bandwidth is insufficient.
Each school has a number of clients; these include PCs, laptops, mobile devices, etc. All clients have access to the central Nextcloud installation, provided they have an Internet connection. Of course, teachers and students can also access the local file server and its data. However, this access lapses as soon as a device leaves the local school network. If you want to continue working on a project from home, you can download the data beforehand and take it with you, for example on a USB stick, but this is not very practical and also poses a security risk for the school’s own devices.
Nextcloud App and Univention Directory Listener
The Nextcloud app External storage support offers a way out. It enables the integration of external storage and makes it available to users as if it were a usual Nextcloud folder. We use this feature to integrate Samba releases from the UCS@school servers into the central Nextcloud instance. In this way, students and teaching staff can access their personal data at any time, whether they are on the school network or not.
Our client needed to integrate dozens of file servers and automatically make thousands of user and group shares available in Nextcloud. Specifically, we were dealing with the following dimensions for a school district:
- About 40.000 home directories of the users (thousands are added and removed every year)
- Approx. 3,000 groups (with hundreds being added and removed every year)
- A new share for each user and each group
- All shares are distributed over a total of 80 schools
In addition to the Nextcloud app, the Directory Listener is also used. This interface receives notifications of changes in the Identity Management System (IDM) from the Univention Directory Notifier and reacts accordingly. The Directory Listener has a modular structure and can therefore be easily extended with plug-ins. Whenever there is a new user account or a new class/workgroup in UCS@school, a Samba share is created at the same time. This change in the IDM is passed on to a listener plug-in, which then sets up a corresponding external storage in Nextcloud.
Customizing the Local UCS@school Servers
The plug-in, which automatically configures the external storage in Nextcloud, ensures that all shares are accessible to new users and groups. Several packages from the Cool-Solutions-Repository are used for this. Here we also offer software that activates the UCS@school groups for Nextcloud; there is no direct interaction with Nextcloud at this point. This is especially useful for environments in which Nextcloud is subsequently installed so there is no need to activate all groups individually in Nextcloud and then integrate the shares. With 1,000 groups or more, the manual procedure is far too time-consuming.
Note that any external storage in Nextcloud must be restricted to one or more groups or users, otherwise the share will be visible to all. Suppose there were a group called School1-1a that is created in UCS@school but not enabled for Nextcloud. Then it would be possible to include the corresponding share, but the admin could not limit the visibility in Nextcloud to the members of the group. The packages from the Cool-Solutions-Repository take care of this: if a group is not found, the respective share in Nextcloud is restricted to the default user nc_admin, so that it does not suddenly appear to all users inside Nextcloud.
When a user account or group is deleted in UCS@school, the listener plug-in takes action again and deletes the entry of the corresponding share in Nextcloud. The share itself is deleted by UCS. Strictly speaking not the actual data of the share is deleted from the file system, but only the share object in UCS, so that the share can no longer be reached.
Version 2.0: Support for UCS
Further information and detailed instructions can be found in the article on our help pages in the Cool Solution section. Currently I’m collecting ideas and suggestions for version 2.0 of this feature, which among other things should have a better LDAP integration and run independently from UCS@school. This will allow us to support normal UCS shares and not only the UCS@school-specific network shares. I am looking forward to your feedback – gladly as a comment to this blog article.
More Interesting Articles
- The Way to the IT Concept For the Schools In the District of Harz
- Univention App Center receives Nextcloud 16